Legal

Security testing authorization

This document sets the minimum written authorization and operational conditions CyberSec expects before performing intrusive security services such as penetration testing, vulnerability assessments, ethical hacking, and validation exercises. It supports both website-delivered services and platform-adjacent engagements, but it does not replace signed statements of work, master services agreements, or engagement-specific authorization letters.

Canonical artefact metadata

Owner
CyberSec Legal and Trust Office
Approver
CyberSec Executive Governance
Version
1.0.0
Last reviewed
2026-04-20
Next review due
2026-10-20

Why written authorization is required

Intrusive security testing can generate alerts, service interruption, unstable application behavior, account lockouts, or incidental access to sensitive systems and data. CyberSec will only perform that work where the asset owner, or a duly authorized representative, has granted written permission for the specific scope.

That authorization must exist before testing begins and must be consistent with the signed commercial engagement. Public website statements, informal email chains, or verbal instructions are not sufficient substitutes for scoped written authorization.

Minimum customer authorization requirements

  • Legal name of the customer entity authorizing the work.
  • Confirmation that the signer has authority to permit testing against the in-scope assets, applications, networks, and data.
  • Testing scope including target environments, hostnames, IP ranges, domains, applications, APIs, and any known exclusions.
  • Testing window, preferred hours, freeze periods, and emergency stop or incident contacts.
  • Any required third-party approvals, upstream provider approvals, or internal change-control dependencies.
  • Acknowledgment that intrusive testing can create temporary disruption even where reasonable care is exercised.

Customer pre-test obligations

  • Take backups and resilience steps appropriate to the environment and materiality of the systems under test.
  • Notify internal stakeholders, operations teams, and service owners on a need-to-know basis where appropriate.
  • Identify sensitive, fragile, recently changed, safety-critical, or business-critical systems that require special handling.
  • Confirm whether any third-party managed services, shared hosting, or customer-owned tenant environments need separate authorization or constraints.

CyberSec operational commitments

  • Use reasonable care, professional judgment, and scope controls during the authorized testing window.
  • Notify the customer contact promptly if a serious exploitable issue, unexpected instability, or confirmed access to sensitive information is identified.
  • Treat data and evidence collected during the engagement as confidential and limit use to service delivery, work-paper support, legal obligations, and defence of rights.
  • Remove temporary testing tooling where practicable after the engagement and minimize retained data when it is no longer required.

Risk allocation and hold-harmless position

Because intrusive testing necessarily uses methods that may resemble hostile activity, the customer must acknowledge the operational risks of the agreed testing approach and confirm that CyberSec may perform the scoped work without being treated as an unauthorized actor within that scope.

Any indemnity, limitation of liability, or hold-harmless commitment must be stated in the signed engagement documents. CyberSec does not rely on a generic website notice as the sole source of those protections; the formal contract and the signed authorization letter remain the controlling instruments.

Sample authorization template content

  1. Identify the customer entity, date, and signatory with authority to authorize testing.
  2. Reference the applicable statement of work, scoping document, or services agreement.
  3. Authorize CyberSec Consultants to perform the defined security testing activities against the listed in-scope targets during the stated window.
  4. Confirm customer awareness of testing risks and confirmation that backups, internal communications, and required third-party approvals have been handled.
  5. Name primary operational contacts and emergency contacts for the engagement.
  6. State that collected data and evidence will be treated as confidential subject to contractual retention and work-paper requirements.
  7. Set out any agreed liability allocation, indemnity, or hold-harmless wording that applies to the scoped engagement.
  8. Be signed and dated on customer letterhead or through an equivalent authenticated approval workflow accepted by the parties.

Template short form

We, [Customer Legal Name], authorize CyberSec Consultants to perform the security testing activities described in the applicable statement of work or scoping document against the systems, applications, infrastructure, and IP ranges identified as in scope for the agreed engagement window.

We confirm that the undersigned has authority to provide this authorization, that all required third-party permissions and internal approvals have been obtained, and that reasonable pre-test precautions such as backups, stakeholder communications, and change coordination have been completed where necessary.

We acknowledge that intrusive security testing may cause alerts, instability, interruption, or incidental access to sensitive information even where reasonable care is exercised. CyberSec Consultants is authorized to conduct the scoped work in full knowledge of those risks, subject to the confidentiality, liability, indemnity, and hold-harmless terms agreed in the signed engagement documents.

Was this page helpful?

Trust and legal

Trust and legal baselinePrivacy notice (POPIA)PAIA manualCookie and tracking noticeWebsite termsSecurity testing authorizationPlatform termsResponsible disclosure